Singapore’s approach to protecting citizens’ data is heavily weighted in favour of government and businesses

Singapore by night

Europe’s data protection laws highlight how weak personal data ownership laws are in Singapore. The system favours businesses and government agencies, often at the cost of individual privacy.

By Preetam Kaushik

The internet is like a sponge. Every time users post to social media, shop online, upload images, or create accounts on their favourite websites, the sponge absorbs their information.

While this information can be put to good use—for the betterment of existing products or the creation of new, useful products and services—the potential for misuse is massive. Data ownership and privacy have become hot topics in the wake of high-profile scandals like the Cambridge Analytica issue in the US, and the SingHealth data breach closer to home in 2018.

Data ownership has added significance in Singapore

As a global financial centre with a projected internet user penetration of 93% for 2020, Singapore is at the apex of the data ownership and privacy conversation. The nation has ambitious plans to go “smart,” with the digitization of all aspects of life, from public safety and traffic controls to national healthcare databases.

Citizens residing in this future “smart nation” will have to live with the increased availability of their personal data online. This includes data held by private companies, as well as those in the servers of government agencies, which could include everything from basic contact information, biometrics, and NRIC numbers.

But who owns this data? If it can be monetized, should citizens reap the economic benefits of their data? Do citizens have a right to privacy?

“Data ownership” is linked to individual consent

Unlike a physical object, it is not easy to assign a monetary value to data.

Citizens’ data is collected and stored by private organizations and public agencies, often at considerable cost and effort. Many businesses claim that they own the data and have earnt the right to use or “monetize” the data as they deem fit.

Instead of talking about data ownership, it is better to frame the conversation around data control. Currently, the public has to grant permission for a business to assume control over how a particular piece of data is obtained and used. This is usually done by giving the individual the ability to provide informed consent. Without the user’s consent, the data cannot be legally collected or used.

This consent has to be clear and unambiguous. Many businesses ask users to accept certain terms and conditions when navigating their website or using their app. Most users click accept without reading the document, leaving them unaware of the permissions they have granted the company or how their data may be used.  

Singapore’s personal data privacy laws built on what worked in other countries

Singapore enacted its first laws on data protection and privacy in 2012. Called the Personal Data Protection Act (PDPA), it was based on data protection models that had been implemented elsewhere. Aspects of the PDPA were present in legislation from the European Union (EU), Canada, New Zealand, and Hong Kong, as well as other international recommendations like OECD Guidelines and APEC Privacy Framework.

PDPA outlines the various requirements for the collection and transfer of personal data by businesses that serve Singaporeans. The act lays out the necessity of securing informed consent from individuals, limits the purposes for collection of data, and outlines the exceptions.

Alongside the PDPA, the government also created the Personal Data Protection Commission (PDPC) to enforce the new data protection regulations in Singapore. The PDPC is responsible for performing periodic reviews of the legislation and updating the legal framework when necessary.  

What is the significance of GDPR?

Although it was adopted a full six years after the PDPA came into existence, the EU’s General Data Protection Regulation (GDPR) is considered the gold standard when it comes to protecting individual privacy and defining control of personal data. It has some of the strictest provisions anywhere in the world on issues of individual privacy, consent, and data storage.

As the EU’s precursors to the GDPR served as one of the inspirations for Singapore’s PDPA, there are many similarities between the two frameworks. Both place an emphasis on the issue of user consent.

But in other areas, the PDPA and the GDPR are poles apart. The former has several weaknesses that have not been revisited since the bill’s conception.

The PDPA does not apply to the public sector

The single biggest point of departure between the two frameworks relates to the public sector and government agencies. While the GDPR is applicable to both private and public organizations, Singapore’s data protection laws only pertain to private organizations and businesses.

This essentially means that Singaporean citizens have no ownership controls over their data when the government (or any private organization on behalf of the government) is collecting and storing the data.

The dangers of this exemption have been thrown into stark relief by the recent spate of data breaches in Singapore. Nearly all of them involved government agencies, and all of them led to the compromise of citizens’ data. A general lack of transparency and inadequate oversight in matters of cybersecurity seem to have contributed to this state of affairs.

Under GDPR, public agencies are also required to demonstrate data security compliance. If there was a similar level of accountability in Singapore’s public sector with regard to data privacy, it is possible many of the data breaches could have been avoided.

Data breaches are unavoidable in the current climate of cybercrimes. But their threat can be minimized. When citizens’ private data is involved, the government has a heightened responsibility to safeguard the data it controls.  

The PDPA’s consent provisions are watered down by exemptions

On the face of it, the PDPA seems to have a robust definition of consent. But in practice, this is heavily compromised by exemptions—around 18 in total.

There are a few reasonable exemptions involving specific situations or contexts, like data that is available in the public domain, or that which is collected for national security.

But a several of these exemptions have come under severe criticism for being unsuitably vague and unreasonable. For example, the clause that permits businesses to collect “data that is in the interest of the individual” without securing consent has received some criticism. Other exemptions include data collection for “artistic purpose,” “debt recovery,” and “evaluative purposes.”

Companies are also allowed to use and disclose user data without individual consent in over 29 situations (10 exemptions for data use and 19 for disclosure).

Even more worrisome is the fact that explicit consent is not necessary in many instances where the individual provides data voluntarily. In these cases, the method of collection is considered to have secured the users’ implied consent.

The data privacy laws in Singapore are heavily weighted in favour of businesses and government agencies. The laws facilitate the collection and use of data for businesses at the expense of user privacy and control.  

The PDPA has a long way to go if Singaporeans are to enjoy the same levels of ownership and control over their personal data as EU citizens. The GDPR is far from perfect, but there is much that the PDPC can learn and emulate from it.

The Singaporean government’s overwhelming focus on economic development and the facilitation of digital enterprise, hope for a drastic change in the framework is slim at best.

Then again, it took the EU over 30 years to arrive at GDPR – the PDPA is still very young in comparison. Change is possible, and the numerous consultations on PDPA reforms in recent years show that the government is open to input from all stakeholders. If Singaporeans express their concerns and make a concerted push to take back control of their data, the government will be forced to reevaluate the relationship between consumers and their personal data.